I've been developing with Tomcat for years, and I never really know about this issue.
I'd have to say that it must not be a widely known issue. Perhaps since the security picture has changed over the past couple of years its time to revisit this issue. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 > -----Original Message----- > From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 15, 2006 2:24 PM > To: Tomcat Users List > Subject: Re: Session Expires At Every Request (Tomcat5.0.28/Firefox) > > Adam and Mallory have to stop shopping! =) > > this debate has been going on for years, you just caught onto > to it now, > and I was in it last time, don't plan on participating again. > Have fun > with it though!! > > Filip > > > George Sexton wrote: > > An even simpler case: > > > > Adam visits a banking site. On entering the site he gets a cookie. > > > > > > Mallory snoops the session ID on the data stream. > > > > Adam then authenticates to read his account information. > The application > > sets a session attribute (say a bean with the account name > and number) on > > the session. > > > > > > Mallory now enters the secure area of the banking site > using the forged > > session ID. > > > > Poof. Mallory is logged in as Adam. > > > > Poof. Adam is had and his data is there to be stolen, or > wire transferred to > > another account. > > > > > > > > George Sexton > > MH Software, Inc. > > http://www.mhsoftware.com/ > > Voice: 303 438 9585 > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]